How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...

PALO ALTO NETWORKS HOME (HTTPS://WWW.PALOALTONETWORKS.COM/)

(/)
CUSTOMER SUPPORT (HTTPS://SUPPORT.PALOALTONETWORKS.COM)

Support Info (/t5/custom/page/page-id/Support)

Register (https://live.paloaltonetworks.com/t5/custom/page/page-id/Register?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FManagement-Articles%2FHow-

to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks%2Fta-p%2F151848)

Sign In (https://live.paloaltonetworks.com/twzvq79624/plugins/common/feature/saml/doauth/post?referer=https%3A%2F

%2Flive.paloaltonetworks.com%2Ft5%2FManagement-Articles%2FHow-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks%2Fta-p%2F151848)

FAQs (/t5/help/faqpage)

Features Discussions Knowledge Base

(https://live.paloaltonetworks.com/t5/Features/ct-p/Features) (https://live.paloaltonetworks.com/t5/Knowledge-Base/ct-p/Topics)

Tools
(https://live.paloaltonetworks.com/t5/Tools/ct-p/Tools)

Live ( /) > Knowledge Base ( /t5/Knowledge-Base/ct-p/Topics)

/t5/Knowledge-Base/ct-p/Topics) > Next-Genera on Firewall ( /t5/Next-Genera on-Firewall/ct-p/Firewall_Ar cles)
cles) >
(/t5/Management-Ar cles/tkb-p/Management-TKB ) >
Management Ar cles (/t5/Management-Ar

Management Ar cles (/t5/Management-Ar

(/t5/Management-Ar cles/tkb-p
/Management-TKB)
/Management-TKB)
Customer Notice: Planned GlobalProtect Cloud Service maintenance on Dec 13 2017.Read More > (https://live.paloaltonetworks.com/t5/General-Topics/Planned-Cloud-
Services-GlobalProtect-Cloud-Service-maintenance/m-p/191456)

Community Search

How to Decrypt IKE and ESP Packets on a Palo Alto Networks

Device
by imsed (/t5/user/viewprolepage/user-id/39915) on 04-09-2017 12:50 PM - edited on 04-12-2017 12:03 PM by arsimon (/t5/user
/viewprolepage/user-id/31338) (2,762 Views)

Labels: Decryption (/t5/Management-Articles/tkb-p/Management-TKB/label-name/decryption?labels=decryption),

Management (/t5/Management-Articles/tkb-p/Management-TKB/label-name/management?labels=management),
Network (/t5/Management-Articles/tkb-p/Management-TKB/label-name/network?labels=network)
Overview
When ipsec tunnels terminate on a Palo Alto Networks rewall, it is possible to decrypt the trafc using the keys registered under
ikemg.log. This can be very useful for troubleshooting ike, and performance issues with ipsec tunnels such as packet-loss and
out-of-order packets.
Details
(/t5/custom/page/page-id/Register)
Labels
Aperture (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name
API & SDK (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam
App-ID (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/a
Authentication (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-
AutoFocus (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam
Certicates (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam

Cloud (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/clo
On this article, we will illustrate how to decrypt ikev1 on main mode and ESP packet using the following topology. The same steps can Conguration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-n
be used with ikev2.
Decryption (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam

Endpoint (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name

GlobalProtect (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-n

Hardware (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name

High Availability (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/labe

By default, the debugging level of ikemgr is normal. To log the negotiated authentication and encryption keys, we must increase the Integration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam
debugging level to dump.
Learning (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/

admin@FW1> debug ike global show Logs (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/logs
sw.ikedaemon.debug.global: normal Management (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-na
admin@FW1> debug ike global on dump
Management & Administration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p
admin@FW1> debug ike global show
Migration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name
sw.ikedaemon.debug.global: dump
NAT (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/nat
Packets can be captured anywhere between FW1 and FW2. On our test setup, we will take packet captures on FW1 following this
guide https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390 (/t5/Learning-Articles Next
/How-to-Run-a-Packet-Capture/ta-p/62390).
(https://live.paloaltonetworks.com
To capture clear and encrypted data between User1 and User2 we are going to use the following lters.
/t5/Management-Articles/How-to-
admin@FW1> debug dataplane packet-diag show setting
-------------------------------------------------------------------------------- Decrypt-IKE-and-ESP-Packets-
Packet diagnosis setting:
on-a-Palo-Alto-Networks
--------------------------------------------------------------------------------
Packet filter /ta-p/151848/page/2/show-
Enabled: yes
comments/true)
Match pre-parsed packet: no
Index 1: 192.168.112.104[0]->192.168.125.110[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 10.193.121.91[0]->10.193.121.93[0], proto 0 Contributors
ingress-interface any, egress-interface any, exclude non-IP
ingress-interface any, egress-interface any, exclude non-IP (/t5/user/viewprolepage
--------------------------------------------------------------------------------
/user-id/39915)
Logging
imsed (/t5/user/viewprolepage
Enabled: no
/user-id/39915)
Log-throttle: no
Sync-log-by-ticks: yes
Features:
(/t5/user/viewprolepage
Counters:
--------------------------------------------------------------------------------
/user-id/31338)
Packet capture
arsimon (/t5/user/viewprolepage
Enabled: yes
/user-id/31338)
Snaplen: 0
Stage receive : file rx
Captured: packets - 0 bytes - 0
(/t5/user/viewprolepage
Maximum: packets - 0 bytes - 0
Stage transmit : file tx
/user-id/7608)
Captured: packets - 1 bytes - 0
Maximum: packets - 0 bytes - 0 reaper (/t5/user/viewprolepage
Stage drop : file dr /user-id/7608)
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0

At this point, we need to bounce the ipsec tunnel to start a new negotiation process and log the ipsec phase1 and phase2 keys. Recommendations

admin@FW1> clear vpn ike-sa gateway TO-FW2 Re: How to perform a Factory
admin@FW1> clear vpn ipsec-sa tunnel To-FW2 Reset a Palo Alto Net...
(/t5/Management-Articles/How-to-
Then generate Trafc between User1 and User2 and make sure that the tunnel is up. perform-a-factory-reset-on-a-Palo-
Alto-Networks-device/ta-p/56029)
admin@FW1> show vpn ike-sa gateway TO-FW2
Palo Alto Networks
Management Access through
IKEv1 phase-1 SAs
TACAC... (/t5/Conguration-Articles
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm
/Palo-Alto-Networks-Management-
Established Expiration V ST Xt P
Access-through-TACACS
hase2
/ta-p/149144)
-------------- ------------ ------------ ---- ---- ---------
----------- ---------- - -- -- - How to Implement SSH
----- Decryption on a Palo Alto Net...
1 10.193.121.93 TO-FW2 Init Main PSK/ DH2/A128/SHA1 Apr.08 (/t5/Conguration-Articles/How-to-
21:57:04 Apr.08 22:03:04 v1 12 4 1 Implement-SSH-Decryption-
on-a-Palo-Alto-Networks-Device
Show IKEv1 IKE SA: Total 2 gateways found. 1 ike sa found. /ta-p/56183)

Information on Sweet32 for

IKEv1 phase-2 SAs
Palo Alto Networks Cust...
GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in)
(/t5/Threat-Vulnerability-Articles
SPI(out) MsgID ST Xt
/Information-on-Sweet32-for-Palo-
-------------- ------------ ------------ ---- --------- -------
Alto-Networks-Customers
-------- ----- -- -- /ta-p/128526)
1 10.193.121.93 TO-FW2 Init ESP/ DH5/tunl/SHA2 B57366C2 B82D7CDE
547B1BD5 9 1 How to Congure a Palo Alto
Networks Firewall wit...
Show IKEv1 phase2 SA: Total 2 gateways found. 1 ike sa found. (/t5/Conguration-Articles/How-to-
Congure-a-Palo-Alto-Networks-
Decrypt ikev1 on main mode. Firewall-with-Dual-ISPs/ta-
p/59774)
With ikev1, the identication and quick mode messages are encrypted. Sometimes it is necessary to decrypt them to verify which
Re: Palo Alto Networks Visio
parameters were exchanged between the two peer. Stencils (/t5/Management-
Articles/Palo-Alto-Networks-Visio-
Here is an example of an encrypted identication message. amp-Omnigrafe-Stencils
/ta-p/60547)

How to Clear Logs on a Palo Alto

1 de 3 14/12/2017 11:06
How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...

Networks Device (/t5/Featured-

Articles/How-to-Clear-Logs-on-
a-Palo-Alto-Networks-Device
/ta-p/61520)

To decrypt ikev1 messages, we need two pieces of information.

Initiators cookie that corresponds to the Initiator SPI on the packet capture. 294ff0e604e73f31
Encryption key that can be found on the ikemgr.log: Search for cookie:294ff0e604e73f31 and then scroll through the
negotiation messages untill you nd the nal computed encryption key.

2017-04-08 21:57:04 [DEBUG]: oakley.c:3157:oakley_compute_enckey(): final encryption key computed:

2017-04-08 21:57:04 [DEBUG]: oakley.c:3158:oakley_compute_enckey():
793f8697 cc0e8cdb 5851496c 0acff14c

Next, go to Wireshark > Edit > Preferences > Protocols > ISAKMP > IKEv1 Decryption Table and enter the Initiators COOKIE and
Encryption key:

And here is the decrypted identication message:

Decrypt ESP packets.

Decrypting ESP packets follows the same principle as ike, but require more parameters.

Protocol: IPv4
Src IP: The source IP of the ESP packets you want to decrypt. For the example above 10.193.121.91
Dst IP: The destination IP of the ESP packets you want to decrypt. For the example above 10.193.121.93
ESP SPI: You can nd it on the packet capture under Encapsulation Security Payload. In our example, it is 0xb82d7cde
Encryption and Authentication Algorithm: They are part of the output of >show vpn ow command.

admin@FW1> show vpn flow name To-FW2 | match algorithm

auth algorithm: SHA256
enc algorithm: AES128

Encryption and Authentication Key which can be found on the ikemgr.log:

21.93[500]/0, satype=141 (ESP), spi=, wsize=4, authtype=41 (SHA256), enctype=15 (AES128), saflags=0x0,
samode=137 (tunl), reqi
d=0, lifetime hard time 180, bytes 0, lifetime soft time 146, bytes 0, enckey len=16
[3d6991e6a0f888d240c8d539a54676a7], authkey len=32
[bbac69f722297906c11d7d9038248ba3b509519a0e1e37bb0652752130c8324c]

Next, go to Wireshark > Edit > Preferences > Protocols > ESP Decryption and select Attempt to detect/decode encrypted ESP
payloads:

Then edit the ESP SAs.

After that you will see the ESP packets decrypted.

3 (/t5/kudos/messagepage/board-id/Management-TKB/message-id/4236/tab/all-users)

Article Options

Hide Comment

Comments

by mbavishi (/t5/user/viewprolepage/user-id/967)
08-21-2017 04:30 AM - edited 08-21-2017 04:32 AM

Super document !I was looking for a way to decrypt ESP packets for quite a time and here it is !
Thanks for sharing.
Also to check the decrypted ike packets ikemgr pcap is useful.
It shows packets in clear text for both phase 1 and phase 2.
If we are just troubleshooting VPN and not trafc ikemgr pcap is good enough.

Permalink (/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets- 0

on-a-Palo-Alto-Networks/tac-p/172381#M4561)

2 de 3 14/12/2017 11:06
How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...

Latest Blogs Events Connect

(http://www.paloaltonetworks.com)
There is still time to register for the Spark User Summit in Boston on December 15! FedIgnite 2017 is just around the corner! (https://live.paloaltonetworks.com/t5/Ignite-
(https://live.paloaltonetworks.com/t5/Community-Blog/There-is-still-time-to-register-for-the- Blog/FedIgnite-2017-is-just-around-the-corner/ba-p/182427)
Spark-User-Summit-in/ba-p/191583) It is not too late to register for Palo ...
Network with fellow Palo Alto Networks u... (https://www.linkedin.com
(https://www.youtube.com
/company
Community team giving away goodies at Ignite '17 (https://live.paloaltonetworks.com
LiveWeek 8 Dec 2017 (https://live.paloaltonetworks.com/t5/Community-Blog/LiveWeek- /t5/Ignite-Blog/Community-team-giving-away-goodies-at-Ignite-17/ba-p/161289) /channel (http://www.slideshare.net
(https://twitter.com /palo- (https://www.facebook.com
In the true spirit of community, contrib... /UCPRouchFt58TZnjoI65aelA)
/PALiveCommunity) /PaloAltoNetworks)
alto-networks)
/PaloAltoNetworks)
8-Dec-2017/ba-p/189561)
Busy admins all making changes to the ...
Chillin' at the Exclusive LiveLounge (https://live.paloaltonetworks.com/t5/Ignite-Blog/Chillin-
DotW: Autolock (https://live.paloaltonetworks.com/t5/Community-Blog/DotW-Autolock at-the-Exclusive-LiveLounge/ba-p/161210)
/ba-p/190333) Everyone having an awesome time at the L...
Several admins making changes at the sam...

Copyright 2007 - 2017 - Palo Alto Networks Privacy Policy (https://www.paloaltonetworks.com/legal/privacy.html) Terms of Use (/t5/user/UserTermsOfServicePage)
(http://www.lithium.com/brandnation)

3 de 3 14/12/2017 11:06